Re: generating a session id

From: Joe Smith (joe_at_inwap.com)
Date: 12/23/04 

Date: Wed, 22 Dec 2004 18:08:31 -0800

ioneabu@yahoo.com wrote:
> I have made an effort to understand a process by exploring it in its
> most basic form, as if I had to create for the first time. Of course
> my simple minded code is not as good as the real thing, but why?

When I connect to your server and get a session ID using your algorithm,
with not too much effort I can determine the current seed of your rand()
function. With that knowledge, I could predict what the next session ID
is going to be, and start hijacking your customer's sessions.

Your method has insufficent entropy and is not of cryptographic quality.
        -Joe

Relevant Pages

  • Re: Session Hijacking over HTTP
    ... yahoo.com protect their users from session hijacking when they use ... the server-side session. ... This way when an attacker hijacks the session he should also spoof ... Another nice thing to do is to alert the real user that there were ...
    (Pen-Test)
  • Re: Reality Check: Session Hijacking
    ... > authentication information in the session. ... Hijacking is independend of data contained in a session. ... > hidden form fields between each page, on forms that POST over https. ... Someone with a packet sniffer could ...
    (comp.lang.php)
  • RE: Repost: Re: User authentication over the web (was: Secure Password in database)
    ... Subject: Repost: Re: User authentication over the web ... As long as the REAL USER is actively using his session, ... >> hijacking difficult or impossible. ...
    (SecProg)
  • Re: Page load frequency
    ... updated session cookie, and provides a workaround. ... I was unsure if you wanted to protect against a single user or against ... a sessionid with each request and response. ... Hijacking can also be blocked if you use safe transport via https/ssl. ...
    (comp.lang.php)